The European Commission has preliminarily found that Meta’s Instagram and Facebook services breach the Digital Services Act (DSA) for failing to identify and mitigate the risk of minors below the age of 13 accessing the services.
Meta’s terms and conditions set the minimum age to access Facebook and Instagram at 13. However, the Commission has found that the measures put in place to enforce these restrictions appear ineffective and inadequate. They do not prevent minors under the age of 13 from accessing their services and do not identify and remove them swiftly if they already gained access. When creating an account, there are no effective age-checks in place if a child under 13 enters a false birth date that makes them 13 or older.
The Commission has found that Meta’s tool for reporting minors is ineffective and difficult to use, requiring several steps to access a reporting form which is not automatically filled with the user’s information. There is often a lack of follow-up if a minor is reported for being under-age and the individual can continue to use the service without any proper type of check.
These failures come in addition to what the Commission describes as an ‘incomplete and arbitrary risk assessment’ which fails in identifying risk of minors under 13 on Facebook and Instagram being exposed to age-inappropriate content and experiences. Meta’s assessment was not in line with evidence compiled across the EU which indicated that around 10-12% of children under 13 are accessing Meta’s platforms. The Commission also argues that Meta has disregarded accessible scientific evidence that younger children have a higher vulnerability to potential harms caused by platforms like Facebook and Instagram.
At this stage in its investigation, the European Commission recommends that Instagram and Facebook must change their risk assessment methodology to more effectively evaluate the risks and how they arise on Instagram and Facebook. Instagram and Facebook must also strengthen their measures to identify, prevent and remove minors under 13 who are using their platforms.
Instagram and Facebook can reply in writing to the Commission’s preliminary findings. They can also take action to address the breaches, in line with the 2025 DSA Guidelines on protection of minors. The guidelines set out a non-exhaustive list of proportionate and appropriate measures to protect children from online risks such as grooming, harmful content, problematic and addictive behaviours, as well as cyberbullying and harmful commercial practices.
If the Commission’s views are confirmed, it may issue a non-compliance decision which can trigger a fine proportionate to the infringement. The Commission may also impose periodic penalty payments to ensure the platforms’ compliance.
